Microsoft said today that Chinese, Iranian, and Russian state-sponsored hackers had tried to breach email accounts belonging to people associated with the Biden and Trump election campaigns.
The “majority of these attacks” were detected and blocked, according to Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft.
Burt disclosed the incidents in a blog post today after Reuters reported yesterday some of the Russian attacks against the Biden camp.
In a comprehensive blog post, Burt revealed additional attacks and also confirmed a DNI report from August that claimed that Chinese and Iranian hackers were also targeting the US election process.
According to Microsoft, the attacks carried out by Russian hackers were linked back to a group that the company has been tracking under the name of Strontium and the cyber-security industry as APT28 or Fancy Bear.
Microsoft says this group has been particularly active, targeting more than 200 organizations all over the world between September 2019 and today, with victims including:
- US-based consultants serving Republicans and Democrats;
- Think tanks such as The German Marshall Fund of the United States and advocacy organizations;
- National and state party organizations in the US
- The European People’s Party and political parties in the UK
Microsoft said that while Strontium usually carried out spear-phishing email attacks, in recent months, the group has been using brute-force and password spraying techniques as a complementary method to breaching accounts.
Since these attacks are very noisy and easy to detect, Microsoft said Strontium has been hiding its credentials mass-harvesting operations by using “more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service” and by “adding and removing about 20 IPs per day to further mask its activity.”
On the other hand, the attacks carried out by Iranian hackers came from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Team).
These attacks are a continuation of a campaign that started last year, and which Microsoft detected and warned about in October 2019.
At the time, Microsoft warned that the hackers targeted “a 2020 US presidential campaign,” but did not name which one. Through some open-source detective work, several members of the security community later tied the attacks to the Trump campaign.
Today, Microsoft confirmed that the attacks indeed targeted the Trump campaign, but also revealed new activity related to the group.
“Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff,” Burt said.
Furthermore, Burt added that after Microsoft used court orders to take control of 99 Phosphorus domains in March 2019, they used the same tactic again to take over another 25 domains last month, which brought the company’s total to 155 domains formerly owned by Phosphorus.
But attacks were also detected from Chinese groups. While currently there are tens of hacking groups that are believed to operate under orders and the protection of the Chinese government, Microsoft said that the attacks targeting US campaigns came from a group known as Zirconium (APT31), which is the same group that Google spotted earlier this year, in June.
Microsoft says it detected thousands attacks orchestrated by this group between March 2020 and September 2020, with the hackers gaining access to almost 150 accounts during that timeframe.
The targets of these attacks usually fell into two categories:
- People closely associated with US presidential campaigns and candidates.
- Prominent individuals in the international affairs community, academics in international affairs.
In the first category, Microsoft listed the Biden campaign (through non-campaign email accounts belonging to people affiliated with the campaign) and attacks against at least one individual formerly associated with the Trump Administration.